* [Blog](https://www2.paloaltonetworks.com/blog) * [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Log4j - Initial Access to... # Log4j - Initial Access to the Cloud [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Flog4j-initial-access-to-the-cloud%2F) [](https://twitter.com/share?text=Log4j+-+Initial+Access+to+the+Cloud&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Flog4j-initial-access-to-the-cloud%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Flog4j-initial-access-to-the-cloud%2F&title=Log4j+-+Initial+Access+to+the+Cloud&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/log4j-initial-access-to-the-cloud/&ts=markdown) \[\](mailto:?subject=Log4j - Initial Access to the Cloud) Link copied By [Guy Arazi](https://www.paloaltonetworks.com/blog/author/guy-arazi/?ts=markdown "Posts by Guy Arazi"), [Or Kliger](https://www.paloaltonetworks.com/blog/author/or-kliger/?ts=markdown "Posts by Or Kliger") and [Dror Alon](https://www.paloaltonetworks.com/blog/author/dror-alon/?ts=markdown "Posts by Dror Alon") Mar 21, 2022 9 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [Apache Log4j vulnerability](https://www.paloaltonetworks.com/blog/tag/apache-log4j-vulnerability/?ts=markdown) [Log4J](https://www.paloaltonetworks.com/blog/tag/log4j/?ts=markdown) [Log4shell](https://www.paloaltonetworks.com/blog/tag/log4shell/?ts=markdown) Much has been written about the [Log4j vulnerabilities](https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/) since the first was reported on Dec.9, 2021, and not nearly enough about how they effect our cloud environments. This CVE required immediate action from both cloud providers and cloud users to update and patch their infrastructure. However, as with every zero-day, there was a significant amount of time until it was exposed, allowing attackers to exploit this vulnerability. Most attacks seen in the wild usually ended with mining activity or ransomware on the vulnerable host. In the context of cloud, an attack may result in initial access to the cloud environment, potentially allowing an attacker to gain access to sensitive data and resources. In this blog we will share additional insights on how the log4j vulnerabilities may be exploited against cloud environments and the impact this may cause, and then provide information on Cortex XDR detection and hunting capabilities to handle such scenarios. ## **Log4j in the Clouds** The major cloud providers have published patches for the Log4j vulnerabilities, including [Amazon Web Services (AWS)](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/), [Google Cloud](https://cloud.google.com/log4j2-security-advisory), and [Microsoft Azure](https://devblogs.microsoft.com/devops/azure-devops-and-azure-devops-server-and-the-log4j-vulnerability/). As expected, some of the most common cloud services were vulnerable to the Log4j CVE, including compute services, storage services, databases, and more. Therefore, it is possible that organizations' cloud environments were breached during that time before patches were released or applied, therefore actions such as detection, threat hunting, and investigation and response should be performed. ## **Log4j Cloud Exploitation** By taking into account how widespread the Log4j library usage is, and the fact that the primary CVE is a Remote Code Execution (RCE) zero-day with critical severity, we can try to understand the variety of options available to a malicious actor looking to exploit the vulnerability in cloud environments. The techniques shown here would work against unpatched systems -- and could have been carried out by attackers before organizations had the chance to patch. We recommend patching against log4j vulnerabilities as soon as possible, while also following best practices for detection and hunting to identify any existing breaches. Exploitation attempts seen in the wild fall into two categories: 1. Direct exploitation attempt to the vulnerable asset, a malicious request to a vulnerable asset with the expectation for the exploitation to execute opun that specific asset. 2. Indirect exploitation attempt to a vulnerable asset, a malicious request to an asset which is not vulnerable, however, the request will most likely be logged on a different service which may be vulnerable. ### Direct exploitation attempts in the wild Attackers sometimes attempted to use the vulnerabilities to get hold of secrets that could grant initial or expanded access. An example of a direct exploitation attempt seen in the wild were trying to retrieve AWS ENV variables: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-19.png) While not every compute instance holds secrets in its ENV variables, for AWS Lambda this is not the case. This means that exploitation attempts upon a vulnerable Lambda function will result in a successful exfiltration of the Lambda function's token, allowing the attacker to execute Cloud API calls on behalf of the Lambda. We would recommend following the [mitigation steps and recommendations](https://aws.amazon.com/security/security-bulletins/AWS-2021-006/) provided by AWS. ### Indirect exploitation attempts in the wild A different approach is to try to affect an organization's logging server/service and not the attacked resource. For example, see this malicious API call for cloud storage objects: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-20.png) The malicious API call itself is executed upon the cloud storage object, which does not affect the victim environment. However, it is a common best practice for organizations to log their cloud infrastructure API calls\*\*.\*\* In such cases the executed attack will not be shown against any customer-owned servers, but the actual infrastructure that they're installed on, makes it harder or impossible to detect on the customer logs side. Having said that, once an attacker compromises the actual infrastructure other attacks can be carried against the customer's assets with high probability of avoiding most mitigation out there. ## **Seeking Tokens to Gain Initial Access** ### Metadata Abuse across the clouds As the exploitation can be used for Remote Code Execution (RCE), it can be exploited in many vectors, such a vector is the cloud Metadata service, handling data regarding your compute instance that you can use to configure or manage the running instance. A successful exploitation enables attackers to access the Metadata service, which can only be accessed within the machine through a loopback. As seen below, once Metadata access was achieved, a malicious actor may manipulate it to its own advantage. #### AWS Instance Metadata Abuse The attacker can exploit the vulnerable customer's service using an HTTP request with a crafted log4j payload, which can be implemented in various manners, e.g headers, URI, etc. The payload retrieves the metadata service via the machine's loopback interface and sends the output to the attacker's controlled server. Payload flow - 1. Queries metadata service using an HTTP GET request to ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-21.png) 1. Encodes the output with base64 and sends it back to the attacker HTTP server. Using this method, attackers can exfiltrate all the information available to the Metadata service which includes the instance's token, network information, SSH key, etc . Below, we demonstrate how it could steal SSH keys: ![Request against the vulnerable server that leverages LDAP](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-22.png) *Request against the vulnerable server that leverages LDAP* *![Decoded data contains the relevant EC2 SSH keys](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-23.png)* *Decoded data contains the relevant EC2 SSH keys* ![Attacker gets the exfiltrated data to its HTTP server](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-24.png) *Attacker gets the exfiltrated data to its HTTP server* #### Google Cloud Instance Metadata Abuse A similar scenario applies to unpatched instances hosted on Google Cloud. We would recommend following the [mitigation steps and recommendations](https://cloud.google.com/blog/products/identity-security/recommendations-for-apache-log4j2-vulnerability) provided by GCP. A successful attack could be used to exfiltrate the Service-Account (SA) access token that is attached to the machine, as well as additional metadata about the machine, including the associated project ID, instance name, and instance zone. ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/image-30.png) *Exilitrate a Google Cloud Instance Access Token* Once the SA token and the instance details are exfiltrated, the attacker can leverage them to invoke additional cloud API calls on the SA's behalf. This may include the compute API, which enables gaining the current metadata fingerprint and modifying the instance metadata by adding new SSH keys to it. The metadata SSH keys are automatically processed and added to the local machine. **![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-26.png)** *![Add a SSH key to the instance metadata](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-27.png)* *Add a SSH key to the instance metadata* As a result, the attacker has backdoor privileged SSH access to the instance. ![New Local User SSH Access](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-28.png) *New Local User SSH Access* In Google Cloud, by default, the SA account which is attached to new instances contains the IAM editor role with a scope of all instances (which is a very permissive permission), meaning an attacker would be able to launch as many instances as desired after successfully compromising it (and set an army of miners). To avoid such cases, we would recommend following [limiting service account privileges](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts)guidelines by Google Cloud. ## Detecting and Investigating With Cortex XDR For Cloud As we can see, there are many attack techniques that can be carried out in the cloud. Cortex XDR has been improving coverage for such attack scenarios to assist customers in detection, hunting, and mitigation. ![Log4j exploitation via cloud SDK shown in Cortex’s new Cloud causality card](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-29.png) *Log4j exploitation via cloud SDK shown in Cortex's new Cloud causality card* The ability to detect exfiltration of cloud tokens is one of the crucial Cortex XDR for cloud capabilities for this situation. Below we can see an example of such an alert: "Suspicious usage of EC2 token." Cortex XDR for cloud is able to learn the behavior of cloud environments and detect when a specific EC2 token (a token generated by and for an EC2 instance) is being used outside of its dedicated instance. ![The STS token should be used only within its dedicated EC2 instance.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-30.png) *The STS token should be used only within its dedicated EC2 instance.* In addition, Cortex XDR for cloud is able to learn typical behavior in your cloud and alert on unusual activities -- for example, unusual geolocation activity. Specifically for cloud assets, unusual geolocation activity may indicate a breach, meaning that If XDR for cloud has learned a typical cloud instance activity comes from US regions (as it is deployed there), this means that we don't expect to see any type of API call execution from any other geolocation. ![Analytics profiles learning the usual behavior in the environment](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-31.png) *Analytics profiles learning the usual behavior in the environment* While monitoring, detecting and [hunting the attack's exploitation attempts](https://www.paloaltonetworks.com/blog/security-operations/hunting-for-log4j-cve-2021-44228-log4shell-exploit-activity/) is necessary, in many cases, additional actions are required in order to determine the impact on cloud infrastructure. Let's try to investigate the attack described above against the Google Cloud hosted instance. As mentioned, an attacker could gain initial access by exfiltrating the Service Account (SA) token remotely and use it to gain SSH access to the instance. As an initial step, we can try to hunt for unusual activity. We can do so by imitating the "unusual geolocation activity" alert with a minor change. To do so, we will use the following query (while the below query filters for Google Cloud, the filter cloud\_provider = "GCP" condition can be removed, and this query will be executed upon all cloud providers): ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-32.png) By using filter identity\_type != ENUM.Users we are filtering only cloud identities which are not of the type User. As mentioned above, a cloud asset should not have multiple geo locations, and as we can see in the results, the compromised SA pops up with three different geolocations. ![Hunting for cloud identities (non-users) with multiple geolocation activity](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-33.png) *Hunting for cloud identities (non-users) with multiple geolocation activity* Once we have identified the compromised SA, we can investigate and look for all the operations executed by it by running the following XQL query: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-34.png) ![Investigating operation of a specific SA](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-35.png) *Investigating operation of a specific SA* We can see above, two API calls (one successful and one that failed) were executed to update the Metadata service. We can also find additional indicators of compromise (IoCs) with the attack IP and ASN it was launched from. ## Summary The primary Log4j vulnerability is extremely critical, potentially allowing anonymous attackers from the internet to gain initial access to cloud environments. Cortex XDR for cloud provides a useful suite of tools to quickly detect and investigate such attacks -- from out of the box detectors that detect different patterns of the attack to incidents and alerts visualization and the ability to run hunting queries against audit logs to investigate the cloud breach and its affected users and resources. ### Learn More To learn how you can use Cortex XDR to investigate and stop Log4Shell attacks, investigate alerts and find vulnerable Log4j software in your environment, see our [Log4j incident response simulation:](https://www.paloaltonetworks.com/resources/infographics/central-command) [](https://www.paloaltonetworks.com/resources/infographics/central-command) [![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/Log4j-page.png)](https://www.paloaltonetworks.com/resources/infographics/central-command) *** ** * ** *** ## Related Blogs ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### How Cortex XDR Blocks Log4Shell Exploits with Java Deserialization Exploit Protection](https://www2.paloaltonetworks.com/blog/security-operations/how-cortex-xdr-blocks-log4shell-exploits-with-java-deserialization-exploit-protection/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### Hunting for Log4j CVE-2021-44228 (Log4Shell) Exploit Activity](https://www2.paloaltonetworks.com/blog/security-operations/hunting-for-log4j-cve-2021-44228-log4shell-exploit-activity/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### 2025: The Year of the Autonomous SOC. The Year of XSIAM.](https://www2.paloaltonetworks.com/blog/security-operations/2025-the-year-of-the-autonomous-soc-the-year-of-xsiam/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### Real-World Email Attacks Detected by Cortex Advanced Email Security](https://www2.paloaltonetworks.com/blog/security-operations/real-world-email-attacks-detected-by-cortex-advanced-email-security/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### From Silos to Synergy: How Cortex XDL Transforms XDR to Elevate Threat Detection](https://www2.paloaltonetworks.com/blog/security-operations/from-silos-to-synergy-how-cortex-xdl-transforms-xdr-to-elevate-threat-detection/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### Cortex XDR is the Only Endpoint Security Market Leader to Achieve 99% in Both Threat Prevention and Response in AVC EPR](https://www2.paloaltonetworks.com/blog/security-operations/cortex-xdr-is-the-only-endpoint-security-market-leader-to-achieve-99-in-both-threat-prevention-and-response-in-avc-epr/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language